02-28-2012 11:40 AM - edited 03-04-2019 03:28 PM
Hello all,
I'm pretty new to the MPLS and DMVPN worlds. But after much research and reading I'm still left with some basic "what should be done" or "what do most people do" type of questions. So I need a little help in getting to the brass tax / action items I should be completing or looking at.
The current network state is where we have over a hand full of remote small sites that are using site to site VPN via ASAs. Also each site has remote access vpn's coming into each site. The problem is of course, we are getting more and more sites online every year. This network has no real design but connectivity. But we do have most VPNs terminating at one site that is a VERY lacking "hub" type site.
Here were the goals:
There are a lot more goals to complete, but these are the few that relate to the question(s). Here is the network design, the "very lacking" site is going to be are starting hub site (Op Hub2) until we get on main hub site at a colo up and running. But Op (operations aka the lacking site) network and CoLo network will be the hub sites. Each hub will be running ACS, ACE servers, and GSS server to load balance applications, and remote access VPNs. Also each hub site will have access to both internet and MPLS. The network between them will be the "control network" that will be home to the ACS, ACE, GSS, and all hosted apps. Each Remote site (Site X) will have access to both MPLS and internet, but internet link is going to be a re-purposed DMVPN link (I'm Hoping for). And each Remote site's internet bound traffic will exit via the hub site. The curve ball (at lease for me everytime I think I got all the answers) is all sites mandate that access goes through ASA's with IPS installed for both MPLS and internet. Or might not be a curve ball at all. |
That's the overview. This is what I need to clear my head on. Some advice would be great.
Thanks for your time and help,
Nick
03-03-2012 03:49 AM
Hi Nick,
first of all this new design is more scalable than just using VPN remote access or site to site
with MPLS normally your hub sites and remote sites wil exchaning routing with the Teleco lets say BGP for example
and by advertising the networks that need to be access by remote sites with some BGP attributes manipulations such as AS path you can make both hubs work in a active standby
by using the DMVPN as a redundant path/link for remote sites you will be able to maintain the connectivity to the hub sites in the case of MPLS link is down
few things to keep in mind
- DMVPN has to be exchanged and terminated in routers ( ASA dose not support it )
- you can terminate the DMVPN mGRE tunnel in the forntend router and send the traffic to the ASA for inspection and filtering then
- use another routing protocol over the DMVPN, advertise same networks advertised over the MPLS routing however with higher metric for example you can use rip or ospf over the DMVPN with higher route AD and this will make sure the routes learned over MPLS link always preferred, once the links gose down the DMVPN path will be the only path to reach those networks
see the below links which might help you
this one i posted before which discuss your case in a simple way
https://supportforums.cisco.com/docs/DOC-8356
cisco link
hope this help
if helpful rate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: